Transcript

Damien Carrick: Earlier in the week the former National Security Agency subcontractor turned leaker Edward Snowden held a live Q&A on the Guardian website.

Journalist [archival]: He is responding directly to questions posted by readers and a few posted by Guardian reporters as well…

Journalist [archival]: Snowden with kind of a dramatic note here saying, 'All I can say right now is the US government is not going to be able to cover this up by jailing or murdering me. Truth is coming and it cannot be stopped.'

Damien Carrick: Meanwhile over the weekend tech giants scrambled to respond to Snowden's revelation. Facebook and Microsoft revealed the bald number of requests they'd received from US law enforcement authorities generally, not just for national security requests. Google and Twitter declined to reveal their figures, saying the government wouldn't allow them to give the fuller information that gives a more accurate picture of the requests.

Dr Mark Gregory is a senior lecturer in electrical and computer engineering at RMIT. He thinks we shouldn't be too focused on these numbers.

Mark Gregory: The numbers that have been reported so far, and we're talking 50,000, 100,000 requests per year, the numbers are actually much greater than that if you look at the number of different programs and agencies and organisations involved. And we don't really need to focus on the numbers as such, we need to focus more on what's happening and why. There are many different dynamics in the world, everything from cyber crime, cyber espionage, surveillance happening on foreign nationals and locals, so we really need to identify what is happening, why is it happening, how do we control it and what checks and balances are in place.

Damien Carrick: On that point—do we have the right checks and balances—what do you make of this system being exposed by Edward Snowden? Did he do the right thing in exposing this system?

Mark Gregory: I think that there was some timing involved. It was in that first week of Bradley Manning's court case, the timing means that it was just too convenient from my perspective. The reality is anyone that's in the technology game and in the law enforcement game knows that this has been going on. It's been going on from the day that we first invented the first telephone.

Damien Carrick: But he's telling the public, he's making it clear to everyone.

Mark Gregory: So he's making it public and he's putting it out there, but in my view I didn't learn anything.

Damien Carrick: Is this information being collected through a warrant system or is it broader than that?

Mark Gregory: There's two different aspects. One is when you're operating within a country, like for example within the US or within Australia, you can collect the data or tell a carrier or an ISP to collect the data without a warrant, but to actually access the data and to look at the data and to use it, you require a warrant. Part of the problem is that they talk about meta data, and for your listeners, what that really is is a collection of information which is supposed to be desensitised and all the privacy information, all your personal information taken away and you're left with this meta data. The problem with it is (the Americans have admitted it) what they're doing is collecting information without warrants but only on one person, so they are collecting meta data about one person. So therefore even though your name has been taken out of the message, they still know who the message is about. So we are seeing abuses of the system, and we're going to see the same types of abuses within Australia.

Damien Carrick: What's our system here in Australia and briefly how does it compare with that in the USA?

Mark Gregory: The system in Australia is such that under the acts…and there are a lot of problems with the current acts, I'll say that up-front. In this area they are 20 years behind the times, they've got more holes than a sieve, and there is a lot of work needed to actually bring Australia up to date.

Damien Carrick: Does that mean they are ineffective or does that mean that our civil liberties are being compromised or both?

Mark Gregory: It means everything. It means that people are using those acts in ways that people didn't think that they should be used. Section 313 of the Telecommunications Act is the perfect example that people have been talking about more recently. What they're doing is using that section of that act to block access to websites, to gain access to people's information, and doing it without warrants. And they are also collecting information without any view to the information being deleted after a period of time. For example, if a particular investigation doesn't go ahead, the data should be deleted, but they're not deleting the data because there's no provisions requiring them to do that.

Remember, they were also going to bring in a two-year mandatory data retention scheme. Well, that's all gone by the wayside because someone put his hand up and said, but hang on, we can do the same thing using section 313 of the Telecommunications Act. That's not what the section was aimed at in the first place, the section was designed around carriers and ISPs preventing criminal activity, but what's happening is the government agencies are saying to them 'block this, do that, do this', but it's not going to the courts. No judge has actually signed a warrant or there has been no trial to say that XYZ is involved in criminal activity, therefore use section 313 to stop it.

Damien Carrick: Of course we've been talking about getting the balance right in terms of civil liberties versus effectiveness, but what is the extent of the problem that we need to address here? How big a problem is cyber security, be it national security or commercial security?

Mark Gregory: Well, let's put it this way, we are currently living through the greatest period of grand larceny in history. There is more crime on the digital network every year than decades, if not centuries, added together before now.

Mark Gregory: Absolutely. So every year as we go by we are seeing more cyber crime, more interaction between governments in terms of cyber warfare, we're seeing more spams, scams, malware, viruses, which ultimately lead to hundreds of billions of dollars in damage. So the problem that we have is that if we don't start to address some of these issues it's going to get away from us. And I would say that it has gotten away from us right now. We are in what I would say is a period of national crisis.

Damien Carrick: There was a great deal of attention on recent revelations by the ABC that the Chinese government had hacked into the confidential blueprints for ASIO. Is China the main worry when it comes to national security, do you think, and cyber issues?

Mark Gregory: Not at all. Every country is attacking every other country, that's the nature of the digital world. It is a fluid and dynamic warfare scenario and it really is one that we need to be looking not just at our enemies but also at our friends because there's just too much temptation to try and gather information from whoever, even if it's a friend. So I wouldn't be picking the Chinese as the evil empire because they're not. They're doing what is sensible, they are utilising an available resource to collect as much information as they can, as quickly as they can.

Damien Carrick: In terms of industrial information though, the Chinese are playing catch-up to some degree against established Western firms. Can we say that in terms of industrial espionage the flow tends to be out of the West towards China?

Mark Gregory: Well, not just out of the West towards China but out of the West towards the West, and also towards the East and whatever you want to call it. And we desperately need to do what we can to ensure that we are not swamped in the process. If everyone else is gathering information online, we must do that too.

Damien Carrick: We've got to have a sword as well is a shield, is that what you're saying?

Mark Gregory: Absolutely, and we need to know that groups like ASIO, the Australian Signals Directorate, the Australian Defence Department, are not just sitting there trying to fight fires and defend themselves, they need to be developing tools that they can use to go on the offensive as well. And if they're not, then every Australian needs to be worried.

Damien Carrick: RMIT's Dr Mark Gregory.

The idea that countries need swords as well as shields is a view shared by Scott Borg. He is the director and chief economist with the US Cyber Consequences Unit.

Scott Borg: There are all kinds of important civil liberties issues at stake, but resolving them needs more than just condemning them or justifying them. What we need to do is start sorting out which of these activities we should actually be allowing or in fact even encouraging and which we should be forbidding. To do this we have to start distinguishing between monitoring by machines and monitoring by humans. We need to distinguish between monitoring traffic and monitoring individual communications. These things have very different consequences.

For example, if you do a lot of machine monitoring of communications you can then identify a much narrower range of communications as being worth looking into by humans. So, in effect, if you allowed the machines to do a lot of monitoring you can then write the search warrant or write the authorisation for human monitoring really narrowly and use that as a tool to look into a lot less in the way of personal communications.

Damien Carrick: Scott Borg says cyber espionage has many different purposes and we should be aware that hacking will be the major weapon in future wars.

Scott Borg: A real cyber war would be like a real war, it would result in large numbers of people killed and massive destruction to important property. So cyber attack could physically damage and destroy key elements of the electric power system. It could cause refineries to explode and catch fire. It could blow oil and gas pipelines, it could cause almost all financial transactions to be turned into chaos, to be unworkable, it could cause water and sanitation systems to fail so that they weren't producing or were producing contaminated product. You're spoiled for choice, it is whatever your imagination can come up with that you could do by taking control of that equipment. That can be done by a cyber attack.

Damien Carrick: And to date have we seen many examples of these kinds of tools of warfare?

Scott Borg: There are a few famous incidents, such as the use of a piece of malicious code, a malicious program called Stuxnet to chronically damage the uranium refinement facility being run by Iran. According to the New York Times and other sources, that tool was launched by America and Israel in collaboration to set back the Iranian nuclear program, which it did quite successfully.

Damien Carrick: There was also use of malware I think in…was it 2008?…when there was a conflict between Syria and Israel.

Scott Borg: In 2007 Israel ran a bombing attack to destroy the nuclear facilities in Syria, and they combined that with a cyber attack so that the computer screens that the Syrians were using for their defence didn't show any Israeli bombers, even though they were thundering overhead. The Israelis essentially took control of the Syrian radar defences and made the Syrians see whatever they chose, whatever they wanted them to see.

Damien Carrick: We've been hearing a lot in the US about defence corporations having a huge percentage of their sensitive information being hacked into by Chinese governments or corporations. Is there anything that can reasonably be done to prevent that kind of intrusion?

Scott Borg: We have a number of things here that are going on at once. We have many different groups in China that are using cyber attacks, often in competition with each other, certainly without any very good central coordination. The bulk of those cyber attacks out of China are intended to steal competitively important business information that will benefit the Chinese economy, that will allow Chinese factories to basically replace Western factories in the global economy.

Combined with that is a very extensive espionage program carried out not just by China but by most of the countries in the world. The main way that we steal each other's secrets these days is by cyber attacks, not by other kinds of spying. The cyber attacks that are carried out by national intelligence agencies are so sophisticated that they are really, really difficult to stop. We can however make it very much more costly to carry out these cyber attacks. The strategy for defending against cyber attacks, whether it's cyber attacks to steal business secrets or whether it's cyber attacks to steal military secrets is to improve the defences to the point that the attacking company or organisation or country just finds it really expensive to carry them out. This reduces the amount of secrets they can steal, it just limits that whole activity.

Damien Carrick: You're talking about money, you're talking about resources, and I guess especially the commercial espionage is all about economic advantage. How big a threat do you see this commercial espionage being to the prosperity of countries like the USA and smaller countries like Australia?

Scott Borg: The theft of competitively important business information is already very expensive. It's costing the American economy tens of billions of dollars a year. It has the potential to increase to 10 times that. If that happens, that economic loss would make the difference between times of prosperity, practically boom times, and times of economic pain.

Damien Carrick: Scott Borg, director and chief economist with the US Cyber Consequences Unit. He was in Melbourne for an address to The Cranlana Programme, an independent, not-for-profit organisation which fosters ethical discussion around these sorts of tough cutting-edge issues.

That's the Law Report for this week. Thanks for listening. Do catch up on the show, just visit the Law Report online at abc.net.au/radionational. Thanks to producer James Pattison, and also to audio engineers this week Matthew Crawford and Nick McCorriston. I'm Damien Carrick, talk to you next week with more law